Guides

The 5 payments fraud patterns hiding outside the transaction, and how to prevent them

by

Nicholas Anasa

on

May 22, 2026

Quick summary

What is payments fraud? Payments fraud covers common patterns like location spoofing, new account fraud, bonus abuse, multi-accounting, and chargeback exposure. Most of these aren't caught by standard fraud tools.
What does it cost platforms? The direct costs are refunds, fraudulent payouts, and dispute overhead. The less visible costs are corrupted acquisition data, false declines that drive away good customers, and regulatory exposure that builds quietly.
How do platforms catch it? Many patterns doing the most damage live in the location and device layer. Platforms catching them are verifying actual location at the moments that matter.


Payments platforms have built sophisticated fraud stacks. Identity verification, transaction monitoring, device fingerprinting, velocity checks. The tooling has gotten better every year. And yet fraud keeps finding ways through.

The reason isn't a gap in investment. It's a gap in signal. Most fraud tools in payments are built to catch bad transactions. The harder problem is that a lot of payments fraud doesn't look like a bad transaction. The identity checks out. The device looks normal. The payment clears. The fraud happened somewhere else entirely: in the gap between where a user claimed to be and where they actually were.

The scale of the problem is still growing. Reported internet-crime losses reached $16.6 billion in 2024, up 33% year over year. That's the uncomfortable reality for payments platforms: fraud investment keeps rising, but so does the cost of the fraud that gets through.

Here are the five most common fraud patterns hitting payments platforms right now, what each one costs, and what it takes to catch them.

1. Location spoofing

Location spoofing in payments is about jurisdiction, not delivery. When a payments user spoofs their location, they're typically trying to appear inside a permitted jurisdiction to access a product, rate, or service that isn't available where they actually are.

  • For neobanks and fintechs with US-only products, this shows up as users in sanctioned countries or restricted jurisdictions using VPNs to appear US-based, opening accounts, and operating them from offshore. Standard KYC catches the documents, but it typically doesn't catch the device.
  • For platforms with regional products, including certain credit products, buy-now-pay-later offerings, or P2P transfer limits that vary by state, location spoofing lets users access terms they're not eligible for. 

Standard fraud tools miss this because they're not looking at actual device location. An IP address is easy to spoof. A residential proxy makes it harder to detect. The gap between where a user's documents say they are and where their device actually is doesn't show up in a transaction review.

The exposure can compound. For example, the Office of Foreign Assets Control (OFAC) announced a $507,375 settlement with BitPay for 2,102 apparent sanctions violations. According to OFAC, BitPay allowed people who appeared to be located in sanctioned jurisdictions (including Syria, Cuba, North Korea) to transact with merchants using digital currency, even though BitPay had IP addresses and other location data before processing the transactions.

How to catch location spoofing in payments

Platforms catching location spoofing effectively are verifying where the device actually is at the moments that matter. That includes signals like:

  • Device location at account opening, login, and high-risk transactions
  • Location mismatches between GPS, IP address, VPN, proxy, or claimed address
  • Jurisdiction-specific eligibility checks before access to restricted products or rates
  • Behavioral patterns that do not match the user's claimed location or normal activity

The goal is to move beyond IP geolocation alone. IP addresses are easy to mask, and residential proxies can make risky traffic look legitimate. Payments platforms need location signal that reflects where the device actually is, not just where the user claims to be.

2. New account fraud

New account fraud in payments happens when bad actors create accounts they were never meant to have access to. Sometimes that's a fully fake identity. Sometimes it's a synthetic one, constructed from a mix of real and fabricated information, like a real Social Security number paired with a fake name and address. 

Either way, the account passes KYC, gets access to the platform, and gets used for whatever the ring built it for. And it's likely going to get worse. Generative AI can be used to create synthetic identification docs, as well as deepfake audio and video. Deloitte projects that fraud losses could reach $40 billion by 2027.

The pattern at scale looks like this: rings create accounts using synthetic IDs and shared device infrastructure, targeting signup bonuses, referral credits, or P2P transfer limits. Each account looks clean in isolation. The pattern only becomes visible at the device and network level, when you see the same infrastructure behind dozens of accounts opened in the same window.

The downstream effect is what makes this costly over time. Accounts created for one fraud type get recycled for others. An account opened for a signup bonus may later be used for a fraudulent transfer or a disputed charge.

How to catch new account fraud

Platforms catching new account fraud effectively are looking beyond whether the identity documents are valid. They're checking for signs that multiple “new” users are actually connected. That includes signals like:

  • Multiple accounts opened from the same device, emulator, or IP range
  • Account creation patterns clustered around the same location or time window
  • Repeated onboarding behavior that looks scripted or unusually similar
  • New accounts that share device, network, or location patterns with known risky users

The goal is to flag those connections at onboarding, before the account can make its first transaction, claim a promotion, or create credit exposure.

3. Bonus and referral abuse

Payments platforms, particularly neobanks and fintech apps in growth mode, run acquisition programs. Signup bonuses, referral incentives, cash back on first transactions. They're standard tools for building a user base in competitive markets. They're also a primary target for fraud rings.

A ring creates dozens or hundreds of accounts using synthetic identities and shared device infrastructure. Each account claims the signup bonus or referral credit. The ring collects the payouts and moves on.

The direct payout loss is the obvious cost. The less obvious cost is what it does to acquisition data. The platform thinks it's growing its user base, but in reality it's paying a fraud ring to create disposable accounts. Customer growth reporting gets corrupted, which makes it harder to make good decisions about where to invest in growth.

How to catch bonus and referral abuse

Platforms catching bonus and referral abuse effectively are looking for shared infrastructure before the first incentive pays out. That includes signals like:

  • Multiple accounts created from the same device, emulator, or location cluster
  • Referral chains with repeated device or location overlap
  • New accounts that trigger bonus-eligible actions in unusually similar patterns
  • Campaign-window spikes tied to the same IP range, VPN, proxy, or device network

The goal is to catch the relationship between accounts in real time, not audit payout patterns after the money has already moved.

Some fraud detection platforms offer network graphs of associated users with the same device.

4. Multi-accounting

Payment platforms operate at enormous scale. In the first six months of 2024, Zelle users transferred $481 billion across 1.7 billion transactions. At that scale, even small rates of account abuse, limit evasion, or mule activity can create meaningful exposure, which is why multi-accounting can be a serious concern. 

Multi-accounting in payments is when the same user operates multiple accounts across a platform to exploit limits, promotions, or eligibility rules they wouldn't qualify for on a single account. Transfer limits, withdrawal caps, and regional product eligibility are all common targets.

What makes this different from new account fraud is that the accounts may be real. The user exists, the documents are valid, and each account passes verification on its own. The fraud is in the relationship between the accounts, which only becomes visible at the device and location layer.

There's also a good path dimension worth noting. Legitimate users don't typically need multiple accounts. When platforms can confidently identify that a device and location pattern is consistent with a real, single user, they can reduce friction for that user at checkout, login, and application. The same signal that catches multi-accounting also helps platforms extend trust to good customers faster.

How to catch multi-accounting

Platforms catching multi-accounting effectively are looking for account relationships that do not make sense for a normal user. That includes signals like:

  • The same device associated with multiple accounts
  • Multiple accounts created from the same location cluster
  • Repeated use of the same emulator, VPN, or proxy infrastructure
  • Transfer, withdrawal, or promotion activity split across accounts to avoid limits

The earlier this detection happens in the account lifecycle, the less exposure the platform carries. Ideally, platforms are identifying linked accounts at onboarding, before those accounts are used to exploit limits, claim promotions, or move money.

5. Chargeback exposure

Chargebacks in payments are a known cost of doing business. The dispute process is well established, the tooling is mature, and most platforms have workflows in place. But they're still becoming more expensive. Mastercard's 2025 chargeback research forecasts global chargeback volume will increase 24% from 2025 to 2028, hitting 324 million transactions annually. 

Where location signal adds value here isn't as a replacement for existing chargeback tools. It's as a supporting layer that strengthens dispute evidence and reduces false declines.

A transaction that looks suspicious in isolation looks different when you can confirm the user's device was at the expected location at the time of purchase. A disputed charge is easier to resolve when location data supports the legitimate transaction. A step-up auth decision is better calibrated when it triggers only when location signal suggests something is actually off, rather than applying friction broadly to every transaction that crosses a velocity threshold.

The false decline problem is real. Payments platforms that apply too much friction to legitimate users lose them. The same location signal that catches fraud can be used to extend trust to good customers and reduce unnecessary friction in their checkout and login flows.

How location signal supports chargeback and dispute workflows

Platforms using location signal effectively are using it to understand whether a transaction made sense in the real world. It can help them:

  • Confirm whether the user's device was where expected at the time of purchase or transfer
  • Spot location mismatches that may point to account takeover or unauthorized use
  • Decide when a transaction should trigger step-up authentication
  • Reduce unnecessary friction for legitimate users
  • Give fraud and dispute teams more context than transaction metadata alone

Using location signals to detect payments fraud

The common thread across all five fraud types is location and device signal. Location spoofing, new account fraud, bonus abuse, multi-accounting, and chargeback exposure all exploit the gap between what the platform thinks is happening and what's actually happening in the real world.

Identity verification and transaction monitoring matter, but they're not enough on their own. A user can pass KYC and still spoof their location. An account can look legitimate and still be one of fifty operated from the same device. A transaction can clear and still be disputed by someone who was never where they claimed to be.

Getting the tools to help

Most payments platforms dealing with these patterns are relying on tools that weren't built to catch them. 

Radar Protect is built for the layer where this fraud actually lives. It uses precise GPS verification, location spoofing detection, and environment fingerprinting, including signals like Wi-Fi and Bluetooth, to verify that a device is actually where it claims to be. By doing so, Radar can:

  • Stop the bad path: The fraud patterns in this piece share a common thread: they exploit the gap between what a platform thinks is happening and what's actually happening in the real world. Radar closes that gap by verifying location and device signal at the moments that matter, account opening, high-risk transactions, and eligibility checks, so bad actors get flagged before the damage is done.
  • Protect the good path: The same signal that stops fraud also makes life easier for legitimate users. When Radar can confirm that a device and location pattern is consistent with a real, trusted customer, platforms can reduce friction at checkout, login, and application. The goal isn't to add more friction. It's to apply it only to the 1% who deserve it.

The fraud patterns in this piece are solvable. The question is whether the tools in place were built to solve them. If you're interested, get in touch and learn how Radar complements existing fraud stacks and sits inside the same platform teams already use for geofencing, base maps, fleet tracking, and location-based marketing.

It's time to build

See what Radar's location infrastructure and intelligence can do for your business.

Get a demo